updated

Azure · Feb 27, 2024 · 672bd01 · 672bd01
1 parent 6e567c6
commit 672bd01
Show file tree

Hide file tree

Showing 5 changed files with 102 additions and 52 deletions.
diff --git a/bicep/main.bicep b/bicep/main.bicep
@@ -7,6 +7,13 @@ param location string = resourceGroup().location
 @description('Specify the AD Application Client Id.')
 param applicationClientId string
 
+@description('Specify the AD Application Principal Id.')
+param applicationClientPrincipal string = ''
+
+@description('Specify the AD Application Client Secret.')
+@secure()
+param applicationClientSecret string = ''
+
 @allowed([
   'CostOptimised'
   'Standard'
@@ -254,26 +261,10 @@ module commonBlade 'modules/blade_common.bicep' = {
 
     workspaceIdName: configuration.secrets.logAnalyticsId
     workspaceKeySecretName: configuration.secrets.logAnalyticsKey
-
-    vaultSecrets: [ 
-      {
-        secretName: configuration.secrets.tenantId
-        secretValue: subscription().tenantId
-      }
-      {
-        secretName: configuration.secrets.subscriptionId
-        secretValue: subscription().subscriptionId
-      }
-      // Azure AD Secrets
-      {
-        secretName: configuration.secrets.clientId
-        secretValue: applicationClientId
-      }
-      {
-        secretName: configuration.secrets.applicationPrincipalId
-        secretValue: applicationClientId
-      }
-    ]
+
+    applicationClientId: applicationClientId
+    applicationClientSecret: applicationClientSecret
+    applicationClientPrincipal: applicationClientPrincipal
   }
   dependsOn: [
     networkBlade
@@ -410,7 +401,7 @@ module serviceBlade 'modules/blade_service.bicep' = {
         label: 'configmap-devsample'
       }
       {
-        name: 'aad_client_id'
+        name: 'client_id'
         value: applicationClientId
         contentType: 'text/plain'
         label: 'configmap-services'
@@ -422,8 +413,8 @@ module serviceBlade 'modules/blade_service.bicep' = {
         label: 'configmap-services'
       }
       {
-        name: 'azure_activedirectory_AppIdUri'
-        value: applicationClientId
+        name: 'appid_uri'
+        value: 'api://${applicationClientId}'
         contentType: 'text/plain'
         label: 'configmap-services'
       }

diff --git a/bicep/main.parameters.json b/bicep/main.parameters.json
@@ -5,6 +5,12 @@
     "applicationClientId": {
       "value": "${AZURE_CLIENT_ID}"
     },
+    "applicationClientSecret": {
+      "value": "${AZURE_CLIENT_SECRET}"
+    },
+    "applicationClientPrincipal": {
+      "value": "${AZURE_CLIENT_PRINCIPAL}"
+    },
     "enableManage": {
       "value": "${ENABLE_MANAGE}"
     },

diff --git a/bicep/modules/blade_common.bicep b/bicep/modules/blade_common.bicep
@@ -25,9 +25,6 @@ param bladeConfig bladeSettings
 @description('Feature Flag to Enable Private Link')
 param enablePrivateLink bool
 
-@description('The list of secrets to persist to the Key Vault')
-param vaultSecrets array
-
 @description('The workspace resource Id for diagnostics')
 param workspaceResourceId string
 
@@ -53,24 +50,18 @@ param cmekConfiguration object = {
   identityId: ''
 }
 
+@description('Specify the AD Application Client Id.')
+param applicationClientId string
+
+@description('Specify the AD Application Client Secret.')
+@secure()
+param applicationClientSecret string
+
+@description('Specify the AD Application Principal Id.')
+param applicationClientPrincipal string = ''
+
+
 var commonLayerConfig = {
-  secrets: {
-    tenantId: 'tenant-id'
-    subscriptionId: 'subscription-id'
-    registryName: 'container-registry'
-    applicationId: 'aad-client-id'
-    clientId: 'app-dev-sp-username'
-    clientSecret: 'app-dev-sp-password'
-    applicationPrincipalId: 'app-dev-sp-id'
-    stampIdentity: 'osdu-identity-id'
-    storageAccountName: 'common-storage'
-    storageAccountKey: 'common-storage-key'
-    cosmosConnectionString: 'graph-db-connection'
-    cosmosEndpoint: 'graph-db-endpoint'
-    cosmosPrimaryKey: 'graph-db-primary-key'
-    logAnalyticsId: 'log-workspace-id'
-    logAnalyticsKey: 'log-workspace-key'
-  }
   storage: {
     sku: 'Standard_LRS'
     tables: [
@@ -110,6 +101,37 @@ var commonLayerConfig = {
 
 var name = 'kv-${replace(bladeConfig.sectionName, '-', '')}${uniqueString(resourceGroup().id, bladeConfig.sectionName)}'
 
+@description('The list of secrets to persist to the Key Vault')
+var vaultSecrets = [ 
+  {
+    secretName: 'tenant-id'
+    secretValue: subscription().tenantId
+  }
+  {
+    secretName: 'app-dev-sp-tenant-id'
+    secretValue: subscription().tenantId
+  }
+  {
+    secretName: 'subscription-id'
+    secretValue: subscription().subscriptionId
+  }
+  // Azure AD Secrets
+  {
+    secretName: 'app-dev-sp-password'
+    secretValue: applicationClientSecret == '' ? 'dummy' : applicationClientSecret
+  }
+  {
+    secretName: 'app-dev-sp-id'
+    secretValue: applicationClientId
+  }
+]
+
+var roleAssignment = {
+  roleDefinitionIdOrName: 'Key Vault Secrets User'
+  principalId: applicationClientPrincipal
+  principalType: 'ServicePrincipal'
+}
+
 module keyvault 'br/public:avm/res/key-vault/vault:0.3.4' = {
   name: '${bladeConfig.sectionName}-keyvault'
   params: {
@@ -126,6 +148,10 @@ module keyvault 'br/public:avm/res/key-vault/vault:0.3.4' = {
 
     // Configure RBAC
     enableRbacAuthorization: true
+    roleAssignments: union(
+      applicationClientPrincipal != '' ? array(roleAssignment) : [],
+      []
+    )
 
     // Configure Secrets
     secrets: {
@@ -248,8 +274,9 @@ module configStorage './storage-account/main.bicep' = {
 
     // Persist Secrets to Vault
     keyVaultName: keyvault.outputs.name
-    storageAccountSecretName: commonLayerConfig.secrets.storageAccountName
-    storageAccountKeySecretName: commonLayerConfig.secrets.storageAccountKey
+    storageAccountSecretName: 'tbl-storage'
+    storageAccountKeySecretName: 'tbl-storage-key'
+    storageAccountEndpointSecretName: 'tbl-storage-endpoint'
   }
 }
 
@@ -325,9 +352,9 @@ module database './cosmos-db/main.bicep' = {
 
     // Persist Secrets to Vault
     keyVaultName: keyvault.outputs.name
-    databaseEndpointSecretName: commonLayerConfig.secrets.cosmosEndpoint
-    databasePrimaryKeySecretName: commonLayerConfig.secrets.cosmosPrimaryKey
-    databaseConnectionStringSecretName: commonLayerConfig.secrets.cosmosConnectionString
+    databaseEndpointSecretName: 'graph-db-endpoint'
+    databasePrimaryKeySecretName: 'graph-db-primary-key'
+    databaseConnectionStringSecretName: 'graph-db-connection'
   }
 }
 

diff --git a/bicep/modules/blade_service.bicep b/bicep/modules/blade_service.bicep
@@ -299,6 +299,19 @@ module appIdentity 'br/public:avm/res/managed-identity/user-assigned-identity:0.
   }
 }
 
+resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
+  name: kvName
+}
+
+resource keySecret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
+  name: 'app-dev-sp-username'
+  parent: keyVault
+
+  properties: {
+    value: appIdentity.outputs.clientId
+  }
+}
+
 module federatedCredsOsduAzure './federated_identity.bicep' = {
   name: '${bladeConfig.sectionName}-federated-cred-ns_osdu-azure'
   params: {
@@ -462,10 +475,10 @@ module appConfigMap './aks-config-map/main.bicep' = {
     name: 'config-map-values'
     namespace: 'default'
 
-    newOrExistingManagedIdentity: 'existing'
-    managedIdentityName: managedIdentityName
-    existingManagedIdentitySubId: subscription().subscriptionId
-    existingManagedIdentityResourceGroupName:resourceGroup().name
+    // newOrExistingManagedIdentity: 'existing'
+    // managedIdentityName: managedIdentityName
+    // existingManagedIdentitySubId: subscription().subscriptionId
+    // existingManagedIdentityResourceGroupName:resourceGroup().name
 
     // Order of items matters here.
     fileData: [

diff --git a/bicep/modules/storage-account/main.bicep b/bicep/modules/storage-account/main.bicep
@@ -447,6 +447,9 @@ param storageAccountSecretName string = ''
 @description('Optional: To save storage account key into vault set the secret name.')
 param storageAccountKeySecretName string = ''
 
+@description('Optional: To save storage account endpoint into vault set the secret name.')
+param storageAccountEndpointSecretName string = ''
+
 @description('Optional: To save storage account connectionstring into vault set the secret name.')
 param storageAccountConnectionString string = ''
 
@@ -483,6 +486,16 @@ module secretStorageAccountKey '.bicep/keyvault_secrets.bicep' =  if (!empty(key
   }
 }
 
+
+module secretStorageAccountEndpoint '.bicep/keyvault_secrets.bicep' =  if (!empty(keyVaultName) && !empty(storageAccountEndpointSecretName)) {
+  name: '${deployment().name}-secret-endpoint'
+  params: {
+    keyVaultName: keyVaultName
+    name: storageAccountEndpointSecretName
+    value: storage.properties.primaryEndpoints.table
+  }
+}
+
 module secretStorageAccountConnection '.bicep/keyvault_secrets.bicep' =  if (!empty(keyVaultName) && !empty(storageAccountConnectionString)) {
   name: '${deployment().name}-secret-connectionstring'
   params: {